Malware/Spyware Removal Guide

kenbles · 17 April 2009 at 4:37PM

my laptop is infected with personal antivirus,I am a novice with computers and do not really understand solutions I have seen so far.what would be the simplest and cheapest way to remove this.Any suggestions?

aliEnRIK · 17 April 2009 at 6:19PM

kenbles wrote: »

my laptop is infected with personal antivirus,I am a novice with computers and do not really understand solutions I have seen so far.what would be the simplest and cheapest way to remove this.Any suggestions?

Download MALWAREBYTES (Make sure you click 'DOWNLOAD NOW')
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
UPDATE and FULL SCAN
Post the log here AFTER youve deleted everything it finds

malwarebytes is free by the way

WhichWayNow · 29 April 2009 at 5:31PM

Been having a problem with a Browser Hijacker, noticable slowdown and clicking on links brings me to a different address altogether, example:

Clicking on Yahoo Mail in google, brings me to the following address:

http://clickcheck.ru/check.php?t=74f38596f594ac952a0deab4594b36df&q=yaho+mail&bi=1150304614-2966927733-681764103-101265881&p=ie&a=998&s=3&e=google&v=sni06040901ie&f=income&b=0.0086&u=aHR0cDovL3Qud2Vic2VhcmNobWFzdGVyLm5ldC8/ZD1yQWIxSVJpR2R3Yk4tMFVac1hIZ3VLTWtTZE5QdmlWRE5KSW1Pa05IRUU2WDVHVTgtQ0NBYVl6WVdXQVN4eTNYT0hXU3hFTGZ2YUQ1Q1c3NGZPWWFFc2pFRUZvX1ktdktFRHhrdlhOUDZNV1VyY0FCSmEtV2RmX1BYVG5jRU9KUFdGZVdJWWJsV3ZJUkR5enZWUHlLMlU4NXhvQ3NvaEpYWml5WEhjY2FYT0lHYVRXWE1YRURnVE81dEhnaGctUkc5YVptMzdrN0RuMEdwUDZkZGVnazEycEVUM2cwaVEwMjZ3Nl83ajN2bmxJY2hiU21HVUczWlk1WnJON3l1MW1DWUI4MzdmRHVYMDQwWVJVZzlScmhtTE1IYUFLaTdwTjRKUkhOYjY0ZHdfckRGNFp3UTl1aU5ncHJvMmR5M0FTUXgxc0FiVTRpeXVuQkdOZGhocUVkRV9xRTlUZ2FyN1VCYno3ajdvTDBXX0tqb0ZoQXR4ajROYmZFTWsyeEc3cTVGMzFJNnNvZ0I3bi1iRE0wWml3MVhCZWd6V1lIWDJQVHhnRWNVQWJXUk9vTzVoUE1WMXJSYmZLaVphTTJsWnZsZzk1YlB5QWlDTmlxQnhBaUx5NHJYM3B5MnJOa2hlZGY4THl3ZFI5VXNWaXVKWV9QS2liWjR4U2tERmk3Ml8wM0xXeHJrTFpmSVhCNlhxN0NMZDlxS2Z2N0s3VThUcVd0SjRDLVFhLTlBOEY3bTFLRnBzZkEzVnZmQS1GbTJoaFFCdWVxMDRtWEgzRkEzb3hSc3dJcFhsUEhXZEFiZUZENzd5aGtWNGVsMjVCTFZiZktyRGxhSi1icDJyMTBkckVaZnVLLW5GNmhWWUx1SHpnamV2aGxTeUdIZm9kNGRiMndwenVjZ21DU3B4c0pvM3VUWC1GMkdRNUdKYU5rM3dsaE9vbWJaYVdmcmtwQzlKb3ZmaXNkZ1BRU3otQmozLUZpZHZ1Z3NCZVlRbDNjRnd3MkwzWFJfSWJYMHlGMTVoNmNWdG02WXdNYWJPbWYwUXdoZ0N2Z3BsSHcxSmhwMGJaZEEzd3BEc041U3A2N1o0RlVvOXpKeVdIMHdBWTdHYUJCODlieXFJajhoLU9IMFk2Mzg1RUtfd3NjdElQNEcwN0QzaUs2alFoLWdldnJoOXFwLXhPZnVva1FtZEliQy1pLW9XNTg5VDFyOTgzTEdkNnBmTGdwTWpiTFVBSkQteWVlZFlyOTk4VUc3WWtQaVVJalUxdHVoN0NxUUNiRDdSNWZOd1ZZMVpGSVFZa1UzbFhZMV9nSVZjR0UxN1ZYZ3lLa0tNdGpJVnQ5NXk1WVRIZjdfcUxuOUFTNGxHMGZLUmV0b3QzWmY3NVVxd3VvajA0SFRoMmdoMG80d1pnTXNVWnVWdW9wZUFPcGgySkRyMUpuQTlCcE5UUkJHNjQ4bUxXcXVna3BubE1UQmdHcWR2ME9SSVRGNzR2bGh6di1QRjNZN2pSVlZESWx5VlJHSFc3dW55cTkyMEFRU0RTWjVqTEZJM1FDdUVzNjkwdmJLLTVtNU9MMzdPZFFVc1BPX1lmNXpyV29PQ0ExbjFvb2dpNEhZUHc3VFhOVWZzemRaa0NpM25SaEtIU0llTGUwQ0VzMW5WdVdNMWdoNVBHd1VURUlyOTQ4U1NZS0ZMYTVkcXdtSllzNFhJUVR3WThySE1aNHpEcmlVRHIzdkphV2F5WnFCOV9iQ0NtNWZtUWNPXzZQNE84YmxmZ1A2RDh5Q2ptX1ZUSEV5akhnZnBTai11ZTVXc1ZUa2xyQ1NWYTgzOFUxX2o2Ql

I have scanned with the following to try and fix this problem: AVG, Ad-Aware, CCleaner, SUPERAntiVirus, Malwarebites, Avast and Avira. All found seperate problems, but none have fixed this one...

Here is a copy of my HijackThis log, hope someone can shed some light on it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:26:36, on 29/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Carolyn\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {74FA5D99-38CD-4E3E-B765-54FAD4BDA166} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {b96a7603-5352-40da-8e18-c15ea809c2ca} - (no file)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://60.45.180.242/SysCamInst.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093698483235
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127139013587
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: c:\windows\system32\,C:\WINDOWS\system32\nefuwipi.dll c:\windows\system32\nokanoza.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: corelz - C:\Program Files\Windows Media Player\Skins\corelz.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
--
End of file - 9652 bytes

aliEnRIK · 29 April 2009 at 5:42PM

WWN ~
Can you please post the Malwarebytes log and the SAS log please (And whatever Avira found if you can)?

Then TICK these in hijack then FIX them ~
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {74FA5D99-38CD-4E3E-B765-54FAD4BDA166} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {b96a7603-5352-40da-8e18-c15ea809c2ca} - (no file)
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: corelz - C:\Program Files\Windows Media Player\Skins\corelz.dll (file missing)

Use the 32 bit AVG removal tool
http://www.avg.com/download-tools

WhichWayNow · 29 April 2009 at 6:59PM

Thanks for your help! Here's the SAS, Malware and Avira log files you asked for, respectively:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 04/29/2009 at 06:52 PM
Application Version : 4.26.1000
Core Rules Database Version : 3868
Trace Rules Database Version: 1816
Scan type : Complete Scan
Total Scan Time : 00:41:01
Memory items scanned : 427
Memory threats detected : 0
Registry items scanned : 5488
Registry threats detected : 0
File items scanned : 20156
File threats detected : 20
Adware.Tracking Cookie
C:\Documents and Settings\Carolyn\Cookies\carolyn@adtech[1].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@kontera[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@revsci[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@sales.liveperson[3].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@sales.liveperson[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@ad.yieldmanager[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@click.mediadome[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@specificclick[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@xiti[1].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@tacoda[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@at.atwola[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@bs.serving-sys[1].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@smartadserver[1].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@ads.ookla[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@serving-sys[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@ads.techguy[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@eas.apm.emediate[1].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@tribalfusion[2].txt
C:\Documents and Settings\Carolyn\Cookies\carolyn@chitika[2].txt

Malwarebytes' Anti-Malware 1.36
Database version: 2053
Windows 5.1.2600 Service Pack 2
29/04/2009 17:59:43
mbam-log-2009-04-29 (17-59-43).txt
Scan type: Full Scan (C:\|)
Objects scanned: 143555
Time elapsed: 22 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{74fa5d99-38cd-4e3e-b765-54fad4bda166} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74fa5d99-38cd-4e3e-b765-54fad4bda166} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Avira AntiVir Personal
Report file date: 29 April 2009 19:01
Scanning for 1369743 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : LAPPY
Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 17/04/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 28/04/2009 18:48:34
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 09:58:26
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 10:35:50
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 09:58:54
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 11:30:38
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/02/2009 19:33:28
ANTIVIR2.VDF : 7.1.3.63 1588224 Bytes 16/04/2009 18:48:34
ANTIVIR3.VDF : 7.1.3.124 211456 Bytes 28/04/2009 18:48:34
Engineversion : 8.2.0.156
AEVDF.DLL : 8.1.1.0 106868 Bytes 27/01/2009 16:36:42
AESCRIPT.DLL : 8.1.1.77 381306 Bytes 28/04/2009 18:48:34
AESCN.DLL : 8.1.1.10 127348 Bytes 28/04/2009 18:48:34
AERDL.DLL : 8.1.1.3 438645 Bytes 29/10/2008 17:24:42
AEPACK.DLL : 8.1.3.14 397685 Bytes 28/04/2009 18:48:34
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 26/02/2009 19:01:58
AEHEUR.DLL : 8.1.0.122 1737080 Bytes 28/04/2009 18:48:34
AEHELP.DLL : 8.1.2.2 119158 Bytes 26/02/2009 19:01:58
AEGEN.DLL : 8.1.1.39 348532 Bytes 28/04/2009 18:48:34
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 13:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 28/04/2009 18:48:34
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 13:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:48:00
AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 09:32:16
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 13:34:30
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 09:32:10
AVARKT.DLL : 9.0.0.3 292609 Bytes 28/04/2009 18:48:34
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 09:37:10
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 14:03:50
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 07:21:34
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 09:32:12
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 09/02/2009 10:45:46
RCTEXT.DLL : 9.0.37.0 86785 Bytes 28/04/2009 18:48:34
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: 29 April 2009 19:01
Starting search for hidden objects.
The repair notes were written to the file 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\AVSCAN-20090429-190402-E462D08D.avp'.
c:\windows\system32\drivers\ovfsthgsvkwprtjkorisetuirrudvinsfthtid.sys
[INFO] The file is not visible.
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a5e9707.qua'!
c:\windows\system32\ovfsthbuaihboevslbawrrjgrvbyaveullrqub.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\ovfsthkuvslpothwgvdvmanxjixobwusayicfx.dat
[INFO] The file is not visible.
c:\windows\system32\ovfsthvyivowvwggorqxjqfjaluatkwuyadmqu.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\ovfsthlgeiiqgigqmqlubxbwgmkietvvwfpnlv.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\ovfsthbquqioewchudlhbvaqpacbahylrlicsw.dat
[INFO] The file is not visible.

End of the scan: 29 April 2009 19:04
Used time: 02:48 Minute(s)
The scan has been done completely.
0 Scanned directories
6 Files were scanned
4 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
2 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes
48834 Objects were scanned with rootkit scan
13 Hidden objects were found

aliEnRIK · 29 April 2009 at 7:39PM

Your computers well infected!

Please run COMBOFIX
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe')

WhichWayNow · 29 April 2009 at 9:28PM

ComboFix 09-04-29.01 - Carolyn 29/04/2009 23:52.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.759.471 [GMT 1:00]
Running from: c:\documents and settings\Carolyn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Carolyn\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system32\flvDX.dll
c:\windows\system32\msfDX.dll
c:\windows\system32\nbDX.dll
c:\windows\system32\PCANDIS5.SYS
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\flvDX.dll
c:\windows\system32\msfDX.dll
c:\windows\system32\nbDX.dll
c:\windows\system32\PCANDIS5.SYS
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-28 19:01 . 2009-04-28 19:01

d

w c:\windows\system32\NtmsData
2009-04-28 18:44 . 2009-04-28 18:48 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-28 18:44 . 2009-04-28 18:44

d

w c:\documents and settings\All Users\Application Data\Avira
2009-04-28 18:44 . 2009-04-28 18:44

d

w c:\program files\Avira
2009-04-28 15:39 . 2009-04-28 15:39

d

w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-28 15:39 . 2009-04-28 15:39

d

w c:\program files\SUPERAntiSpyware
2009-04-28 15:39 . 2009-04-28 15:39

d

w c:\documents and settings\Carolyn\Application Data\SUPERAntiSpyware.com
2009-04-28 15:38 . 2009-04-28 15:38

d

w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 15:37 . 2009-04-28 15:37

d

w c:\program files\CCleaner
2009-04-28 12:21 . 2007-07-09 13:09 584192

w c:\windows\system32\dllcache\rpcrt4.dll
2009-04-28 12:19 . 2009-03-06 14:44 283648

w c:\windows\system32\dllcache\pdh.dll
2009-04-28 12:19 . 2005-07-26 04:39 60416

w c:\windows\system32\dllcache\colbact.dll
2009-04-28 12:19 . 2009-02-09 10:20 399360

w c:\windows\system32\dllcache\rpcss.dll
2009-04-28 12:19 . 2009-02-06 17:14 110592

w c:\windows\system32\dllcache\services.exe
2009-04-28 12:19 . 2009-02-09 10:20 473088

w c:\windows\system32\dllcache\fastprox.dll
2009-04-28 12:19 . 2009-02-06 16:39 227840

w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-28 12:19 . 2009-02-09 10:20 453120

w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-28 12:19 . 2009-02-09 10:20 616960

w c:\windows\system32\dllcache\advapi32.dll
2009-04-28 12:19 . 2009-02-09 10:20 714752

w c:\windows\system32\dllcache\ntdll.dll
2009-04-28 08:17 . 2009-04-28 08:17

d

w c:\documents and settings\Carolyn\Application Data\Malwarebytes
2009-04-28 08:16 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 08:16 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 08:16 . 2009-04-28 08:16

d

w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-28 08:16 . 2009-04-28 08:16

d

w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 23:38 . 2009-04-27 23:38

d--h--w C:\$AVG8.VAULT$
2009-04-27 23:34 . 2009-04-27 21:44 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-27 21:44 . 2009-04-27 21:44 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-27 21:40 . 2009-04-27 21:40

d

w c:\program files\AVG
2009-04-27 21:40 . 2009-04-27 21:40

d

w c:\documents and settings\All Users\Application Data\avg8
2009-04-27 21:29 . 2009-04-27 21:29

d--h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-27 21:29 . 2009-04-27 21:29

d

w c:\program files\Lavasoft
2009-04-27 21:29 . 2009-04-27 21:29

d

w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-27 15:36 . 2009-04-27 15:36

d

w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-27 15:36 . 2009-04-27 15:36

d

w c:\program files\Spybot - Search & Destroy
2009-04-27 03:09 . 2008-04-21 10:02 215552

w c:\windows\system32\dllcache\wordpad.exe
2009-04-27 02:13 . 2009-04-27 02:13

d

w c:\program files\Alwil Software
2009-04-26 07:36 . 2009-04-26 07:36

d

w c:\program files\TVAnts
2009-04-22 20:38 . 2009-04-22 20:38

d

w c:\documents and settings\Carolyn\Application Data\ImgBurn
2009-04-22 20:17 . 2009-04-22 20:17

d

w c:\program files\ImgBurn
2009-04-21 15:05 . 2009-04-21 15:05

d

w c:\documents and settings\Carolyn\.housecall6.6
2009-04-11 15:32 . 2009-04-11 15:32

d

w c:\program files\SystemRequirementsLab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 15:02 . 2004-08-28 16:26 69560 ----a-w c:\documents and settings\Carolyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 06:36 . 2009-03-23 06:36

d

w c:\program files\Xvid
2009-03-11 20:02 . 2009-03-11 20:02

d

w c:\program files\O2
2009-03-11 19:39 . 2009-03-11 19:39 81920 ----a-w c:\windows\system32\W32N50.DLL
2009-03-11 18:50 . 2009-03-11 18:50

d

w c:\program files\Common Files\SupportSoft
2009-03-06 14:44 . 2004-05-31 15:45 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 17:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-05-31 19:37 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-08-20 15:13 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-08-20 15:13 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-08-20 15:12 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-08-20 15:13 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2002-08-20 15:13 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2002-08-20 15:13 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-08-20 15:13 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2001-08-17 12:48 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-05-31 16:04 55808 ----a-w c:\windows\system32\secur32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2002-05-30 163840]
"SENS Keyboard V4 Launcher"="c:\program files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE" [2002-07-17 40960]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-02 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-27 516440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2002-05-31 87039]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-8 24633]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Exif Launcher.lnk - c:\program files\Exif Launcher\QuickDCF.exe [2003-5-5 184320]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\VLC.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;c:\windows\system32\drivers\A311.sys [2002-09-16 30263]
R3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;c:\windows\system32\drivers\A310.sys [2002-09-16 32823]
R3 DOSMEMIO;MEMIO; [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-27 953168]
R3 SWLD12;SAMSUNG 11Mbps WLAN MiniPCI/PCI Card;c:\windows\system32\DRIVERS\swld12.sys [2002-08-23 32768]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-27 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-28 108289]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
.
Contents of the 'Scheduled Tasks' folder
2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:44]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Search with Freeserve - c:\progra~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://60.45.180.242/SysCamInst.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 23:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-29 23:57
ComboFix-quarantined-files.txt 2009-04-29 22:57
ComboFix2.txt 2009-04-29 20:03
Pre-Run: 6,315,671,552 bytes free
Post-Run: 6,323,044,352 bytes free
195 --- E O F --- 2009-04-28 12:56

aliEnRIK · 29 April 2009 at 11:02PM

Open notepad and copy/paste the text in RED below

File::
c:\windows\system32\flvDX.dll
c:\windows\system32\msfDX.dll
c:\windows\system32\nbDX.dll
c:\windows\system32\PCANDIS5.SYS

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

then run a KASPERSKY ONLINE SCAN (click to scan 'MY COMPUTER')
http://www.kaspersky.co.uk/virusscanner
Please post the complete log it creates

WhichWayNow · 30 April 2009 at 1:10AM

Hi again. The new combofix log added to original post. I'll complete the kaspersky online scan now, and edit with results.

EDIT: After completing a 'Crucial Areas' scan, I can confirm no Infections were found.

As a note, after running the Combofix for the first time I had noticed a much better browsing experience. Also, the directing of websites has since stopped. Your help up to this point has really been appreciated!

stuartk · 26 May 2009 at 4:35AM

All this bickering about safe mode etc

Any "decent" PC technician and NOT some "Jo the kid on PC specialist" knows that a decent boot cd is the way to go

I am a Microsoft (MCSA), CompTIA (A+, N+, Server+) and Cisco certified tech and I wouldn't go on any repair job without my bootable cds / USB drives.

Reasons: some pc's are so !!!!ed that you cannot even get into safe or the system is so slow that you will be there for hours. and you don't want to be hanging about someones house for hours waiting on slow anti-virus / spyware scans to finish.

I can help users create their own bootable CD or USB drive

Just PM Me

Malware/Spyware Removal Guide

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free